main/gnutls/CVE-2017-7507-1.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70

From 4c4d35264fada08b6536425c051fb8e0b05ee86b Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Wed, 24 May 2017 10:46:03 +0200
Subject: [PATCH] ext/status_request: ensure response IDs are properly deinitialized

That is, do not attempt to loop through the array if there is no array
allocated.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
---
 lib/ext/status_request.c | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/lib/ext/status_request.c b/lib/ext/status_request.c
index f5a46dc..049d852 100644
--- a/lib/ext/status_request.c
+++ b/lib/ext/status_request.c
@@ -69,7 +69,10 @@ typedef struct {
 
 static void deinit_responder_id(status_request_ext_st *priv)
 {
-unsigned i;
+	unsigned i;
+
+	if (priv->responder_id == NULL)
+		return;
 
 	for (i = 0; i < priv->responder_id_size; i++)
 		gnutls_free(priv->responder_id[i].data);
@@ -135,6 +138,7 @@ server_recv(gnutls_session_t session,
 {
 	size_t i;
 	ssize_t data_size = size;
+	unsigned responder_ids = 0;
 
 	/* minimum message is type (1) + responder_id_list (2) +
 	   request_extension (2) = 5 */
@@ -153,23 +157,24 @@ server_recv(gnutls_session_t session,
 	DECR_LEN(data_size, 1);
 	data++;
 
-	priv->responder_id_size = _gnutls_read_uint16(data);
+	responder_ids = _gnutls_read_uint16(data);
 
 	DECR_LEN(data_size, 2);
 	data += 2;
 
-	if (data_size <= (ssize_t) (priv->responder_id_size * 2))
+	if (data_size <= (ssize_t) (responder_ids * 2))
 		return
 		    gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
 
-	if (priv->responder_id != NULL)
-		deinit_responder_id(priv);
+	deinit_responder_id(priv);
 
-	priv->responder_id = gnutls_calloc(1, priv->responder_id_size
+	priv->responder_id = gnutls_calloc(1, responder_ids
 					   * sizeof(*priv->responder_id));
 	if (priv->responder_id == NULL)
 		return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
 
+	priv->responder_id_size = responder_ids;
+
 	for (i = 0; i < priv->responder_id_size; i++) {
 		size_t l;
 
--
libgit2 0.25.0